<p dir="ltr">Sounds a process started the port, NFS likely, but closed unexpectedly and failed to release the port. Sounds like NFS mount that lost connection and remade on the other port.</p>
<p dir="ltr">NFS is weird.</p>
<div class="gmail_quote">On Jan 3, 2014 2:52 AM, "Alex Carver" <<a href="mailto:agcarver%2Bale@acarver.net">agcarver+ale@acarver.net</a>> wrote:<br type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Well, a reboot took care of whatever it was because there are no<br>
unexpected open ports now. Very peculiar but I didn't see any out of<br>
the ordinary processes and I run a file system scan every night<br>
(integrit) which didn't show any changes.<br>
<br>
On 1/2/2014 22:55, Alex Carver wrote:<br>
> Ok, even stranger. Watching the wireshark transactions, I am able to<br>
> send four bytes to this port. After four bytes the connection is closed<br>
> on the server end. I can't see any valid data coming back from the<br>
> port, most of it is just TCP SYNs and ACKs. There doesn't appear to be<br>
> any data coming back (wireshark shows no data attached to any return<br>
> packet and all the returns are ACK and FIN packets). If I connect a few<br>
> more times I start to receive RST packets instead.<br>
><br>
> There's a UDP port 38501 that's also open with no identifiable program.<br>
> That one echos anything I type as long as it's four bytes or less.<br>
><br>
> I've also shut down every service on the system and both ports are still<br>
> open. I'm thoroughly confused now.<br>
><br>
> On 1/2/2014 22:23, Alex Carver wrote:<br>
>> Well, that clears up one port, 54906 is being used by rpc.statd (I've<br>
>> got an NFS server running on that machine). But the other port, 42865,<br>
>> doesn't show up in the list. However, it does respond to a connection<br>
>> request from netcat and sending a simple carriage return causes a zero<br>
>> byte response (well, zero payload bytes, only the TCP headers). I can<br>
>> send other random characters but it disconnects afterwards. Very<br>
>> peculiar. I'm downloading wireshark now to sniff at it some more. It<br>
>> can get hard to read tcpdump.<br>
>><br>
>><br>
>><br>
>> On 1/2/2014 22:11, Beddingfield, Allen wrote:<br>
>>> Try "lsof -l -P|grep LISTEN" on the system with those ports open.<br>
>>><br>
>>> Allen B.<br>
>>> --<br>
>>> Allen Beddingfield<br>
>>> Systems Engineer<br>
>>> The University of Alabama<br>
>>><br>
>>> ________________________________________<br>
>>> From: <a href="mailto:ale-bounces@ale.org">ale-bounces@ale.org</a> [<a href="mailto:ale-bounces@ale.org">ale-bounces@ale.org</a>] on behalf of Alex Carver [<a href="mailto:agcarver%2Bale@acarver.net">agcarver+ale@acarver.net</a>]<br>
>>> Sent: Thursday, January 02, 2014 11:49 PM<br>
>>> To: Atlanta Linux Enthusiasts<br>
>>> Subject: [ale] Identfy source of open ports<br>
>>><br>
>>> It's a new year so on a whim I started nmaps of various machines and<br>
>>> devices on my home network to see what was open and if anything I didn't<br>
>>> know about popped up.<br>
>>><br>
>>> One of my Debian boxes popped up with two ports out of the blue. Port<br>
>>> 42865 and 54906. I don't know of any services running that use those<br>
>>> ports. Running netstat -ap doesn't show much either, it has a blank<br>
>>> entry for the PID/Program name:<br>
>>><br>
>>> Proto Recv-Q Send-Q Local Address Foreign Address State<br>
>>> PID/Program name<br>
>>><br>
>>> tcp 0 0 *:42865 *:* LISTEN -<br>
>>> tcp 0 0 *:54906 *:* LISTEN -<br>
>>><br>
>>> Anything else I can use to try and ferret out what it is that is<br>
>>> listening on these ports? Neither port is accessible from the outside<br>
>>> world due to a firewall. A scan of two other Debian shows mostly ok<br>
>>> (expected services) though one shows port 779 open in listen mode but<br>
>>> again with no PID, and the other machine shows 31599 (also not accessible).<br>
>>><br>
>>> Searching online for those particular ports doesn't provide any useful<br>
>>> information (779 claims one use is for NetInfo on OS X but that machine<br>
>>> is not a Mac).<br>
>>> _______________________________________________<br>
>>> Ale mailing list<br>
>>> <a href="mailto:Ale@ale.org">Ale@ale.org</a><br>
>>> <a href="http://mail.ale.org/mailman/listinfo/ale" target="_blank">http://mail.ale.org/mailman/listinfo/ale</a><br>
>>> See JOBS, ANNOUNCE and SCHOOLS lists at<br>
>>> <a href="http://mail.ale.org/mailman/listinfo" target="_blank">http://mail.ale.org/mailman/listinfo</a><br>
>>><br>
>>> _______________________________________________<br>
>>> Ale mailing list<br>
>>> <a href="mailto:Ale@ale.org">Ale@ale.org</a><br>
>>> <a href="http://mail.ale.org/mailman/listinfo/ale" target="_blank">http://mail.ale.org/mailman/listinfo/ale</a><br>
>>> See JOBS, ANNOUNCE and SCHOOLS lists at<br>
>>> <a href="http://mail.ale.org/mailman/listinfo" target="_blank">http://mail.ale.org/mailman/listinfo</a><br>
>>><br>
>>><br>
>><br>
>> _______________________________________________<br>
>> Ale mailing list<br>
>> <a href="mailto:Ale@ale.org">Ale@ale.org</a><br>
>> <a href="http://mail.ale.org/mailman/listinfo/ale" target="_blank">http://mail.ale.org/mailman/listinfo/ale</a><br>
>> See JOBS, ANNOUNCE and SCHOOLS lists at<br>
>> <a href="http://mail.ale.org/mailman/listinfo" target="_blank">http://mail.ale.org/mailman/listinfo</a><br>
>><br>
>><br>
><br>
> _______________________________________________<br>
> Ale mailing list<br>
> <a href="mailto:Ale@ale.org">Ale@ale.org</a><br>
> <a href="http://mail.ale.org/mailman/listinfo/ale" target="_blank">http://mail.ale.org/mailman/listinfo/ale</a><br>
> See JOBS, ANNOUNCE and SCHOOLS lists at<br>
> <a href="http://mail.ale.org/mailman/listinfo" target="_blank">http://mail.ale.org/mailman/listinfo</a><br>
><br>
><br>
<br>
_______________________________________________<br>
Ale mailing list<br>
<a href="mailto:Ale@ale.org">Ale@ale.org</a><br>
<a href="http://mail.ale.org/mailman/listinfo/ale" target="_blank">http://mail.ale.org/mailman/listinfo/ale</a><br>
See JOBS, ANNOUNCE and SCHOOLS lists at<br>
<a href="http://mail.ale.org/mailman/listinfo" target="_blank">http://mail.ale.org/mailman/listinfo</a><br>
</blockquote></div>